APPENDIX A
GLOSSARY
Access – Access means to use.
For example, programs can access
memory, which means they read data
from or write data to the
main memory. More specifically, access often means to read data
from or write data to a mass storage
device.
Access Control – Access control refers to mechanisms and
policies
that restrict access to computer
resources. An Access Control List
(ACL) specifies what operations different
users can perform on
specific files and directories (assets).
Access Control ID (ACID) – ACID is the term CA Top Secret Software
uses for user identification.
Adequate Security –Adequate security is security
commensurate
with the risk and magnitude of harm
resulting from the loss, misuse,
or unauthorized access to or modification
of information.
Agency - An agency is any executive department,
military
department, Government corporation,
Government controlled
corporation, or other establishment
in the executive branch of the
Government (including the Executive
Office of the President), or
any
independent regulatory agency. 5 U.S.C.
552 (f) (1)
Appliances -A hardware-based device that performs one or
more
complex functions requiring sophisticated software and
external
controls. Examples
include but are not limited to: firewalls, security
policy manager, packet shapers, filtering/proxy devices,
VPNs,
network attached storage and routers.
Application
- A system that requires special attention to security
due to the risk and magnitude of the harm
resulting from the loss,
misuse, or unauthorized access to or
modification of the information
in
the application. A breach in an
application might comprise
other
application programs, hardware, software, and
telecommunications components. Applications can be either
software or a combination of
hardware/software where the only
purpose of the system is to support
a specific mission-related
function.
Application Owner – The head(s) of an organizational
segment(s)
that is responsible for authorizing
funding for the procurement,
development, installation and/or
maintenance of a software
application running on a USDA Automated
Information System and
its environment.
Asset - A major application, general support
system, high impact program, physical plant, mission critical system or
logically related group of systems. An
asset is also a physical or intangible item of value to an organization or
individual.
Assurance : is the degree to which the purchaser of
a system knows
the security features and procedures being
acquired will operate
correctly and will be effective in the
system environment.
Audit Trail – An audit trail is a series of records
of computer events
about an operating system, application or
user activities. A
computer system may have several audit trails,
each devoted to a
particular type of activity.
Authentication - Security measure designed to establish
the validity
of a transmission, message or originator,
or a means of verifying an
individual’s authorization to receive
specific categories of
information.
Automated Information System (AIS) - An AIS is any assembly of
electronic equipment, hardware, software
and firmware configured
to collect, create, communicate,
disseminate, process, store, and
control data or information.
Availability – Assurance that information, services,
and IT system
resources are accessible to authorized
users and/or system-related
processes on a timely and reliable basis
and are protected from
denial of service.
Awareness – Awareness is a learning process that
sets the stage for
training by changing individual and
organizational attitudes to
realize the importance of IT
security.
Back-up Site (Alternate Site) – a facility that is able to
support
system operations in restoring critical systems to an acceptable
level as defined in the DR plan.
Sites are referred to as: cold, warm,
hot, mobile, and mirrored.
Baseline - The baseline consists of an approved
system requirements
document and is initially known as the
“requirements baseline”. The
requirements baseline is also the basis
against which the system is
authenticated. Each baseline is subject to configuration control
and must be formally updated to reflect
approved changes to the
CI or system as it goes through the life
cycle stages.
Baseline Security – Baseline security refers to the minimum
security
controls required for safeguarding an
Information Technology (IT)
system based on its identified needs for
confidentiality, integrity
and/or availability protection.
Breach - Any illegal penetration or unauthorized access to
a
computer system that causes damage or has the potential to
cause damage.
Business Impact Analysis (BIA)
- An analysis of the business
processes
and interdependencies used to characterize contingency requirements and
priorities in the event of a significant disruption of service. More information concerning the BIA can be
found in NIST Special Publication 800-34, Contingency Planning Guide for Information
Technology (IT) Systems.
Capital
Planning and Investment Control (CPIC)
– A systematic
approach
to selecting, managing, and evaluating information
technology
investments
Central Processing Unit (CPU) – The Central Processing unit is the
brain of the computer. CPU is sometimes referred to simply as the
processor or central processor. In terms of computing power, the
CPU is the most important element of a
computer system.
Certificate - A digital representation of information
which at least (1)
identifies the certification authority issuing
it, (2) names or identifies
its subscriber, (3) contains the
subscriber’s public key, (4) identifies its
operational period, and (5) is digitally
signed by the certification
authority issuing it.
Certificate Authority (CA) - An authority trusted by one or more
Users to issue and manage X.509 Public Key
Certificates and
Certificate Authority Revocation Lists.
Certificate Policy (CP) -
A Certificate Policy is a specialized form of
administrative policy tuned to electronic
transactions performed
during certificate management. A certificate policy addresses all
aspects associated with the generation,
production, distribution,
accounting, compromise recovery and
administration of digital
certificates.
Certificate Revocation - Cancellation of a certificate prior to
its
designated expiration date. Reasons for revocation of a certificate
include corruption, compromise or loss of a certificate, departure of
the certificate holder or deactivation of the server where the
certificate resides.
Certificate Revocation List (CRL) - An electronically signed, time-
stamped list of serial numbers of CA
public key certificates,
including cross-certificates that have
been revoked.
Chain
of Custody – The
protection of evidence by each responsible party to ensure it against loss,
breakage, alteration or unauthorized handling.
This protection also includes properly securing, identifying, and dating
evidence. Individuals place their initials
and date on the container when the evidence is stored in a container or on the
evidence in such a way that no damage is incurred.
Client – A term that refers to
the client part of a client/server
architecture. Typically, a
client is an application that runs on a
personal computer or workstation and relies on a server to perform
some operations. For
example, an e-mail client is an application
that enables you to send and receive e-mail.
Client/Server Architecture - Network architecture in which each
computer or process on the network is either a client or a server.
Servers and mainframes are powerful computers or processes
dedicated to managing disk drives (file
servers, printers (print
servers), or network traffic (network
servers). Clients are PCs or
workstations on which users run
applications. Thin clients rely on
servers and mainframes for resources, such
as files, devices, and
even processing power. Client-server architectures are sometimes
called two-tier architectures.
CM Authority (CMA)- The agency CIO/Agency Head/ Site
Executive decision-making authority that
approves or disapproves
proposed changes and exercises authority
at the agency or site
level via a Configuration Control Board
(CCB).
CM Planning and Management- CM planning and management
includes organizing, coordinating, and
managing all of the tasks
necessary to implement and conduct CM
activities. CM planning
and management occurs throughout all
life-cycle phases of a
system.
CM Program Library- A CM Program Library is a location that
contains software code, system technical
documentation and the
official master copies of all
configuration items baselines or pointers
to their location. CM program libraries may be established at
the
office, agency, site, or system
program/project organizational level.
Efficient operation of the library is
enhanced if automated tools are
available.
CM Specialist (CMS) - The person is responsible for management
and operation the CM system. A CMS ensures that appropriate CM
plans and procedures are developed and
implemented; ensures
that all requests for changes are processed
properly; provides
reports on the status of all configuration
items and proposed system
changes, and controls all of the
configuration baseline items.
Common Criteria (CC) – CC was developed by NSA and NIST, in
cooperation with the National Information
Assurance Partnership
(NIAP), as a security evaluation scheme
that enables vendors of IT
systems to provide C2 equivalent
protection capabilities and Is an
international standard.
Compromise – A compromise is the unauthorized
disclosure, modification, substitution, or use of sensitive information or to invade system by getting around its
security. A computer has been
compromised, for example, when a Trojan horse has been installed.
Compromise
of Integrity – A
compromise of integrity is any unauthorized modification of the correctness of
information or data.
Computer Associates Access Control
Facility 2 (CA-ACF-2) –
CA- ACF-2 is one of several types of
security access control software
used to provide minimum standard
protection in IBM and IBM
Compatible mainframe environments.
Computer Room – The physical space that houses any
equipment
or interconnected system or subsystems of
equipment that is used in
the automatic acquisition, storage,
manipulation, management,
movement, control,
display, switching, interchange, transmission or
reception of data or information.
Computer Security Incident – A computer security incident is any
adverse event whereby some aspect of a computer system is threatened: loss of
data confidentiality, disruption of data or system integrity, disruption or
denial of availability. Some examples
are listed below:
Intrusion of
computer systems via the network (often referred to as “hacking”);
The
occurrence of computer viruses and/or resulting damage;
Unusual or
suspicious probes for vulnerabilities via the network to a range of computer
systems (often referred to as scans);
Unusual
processes, not installed by USDA, running on server.
Within
the computer security arena, these events are often simply referred to as “incidents”. The definition or identification of an
incident may vary for each USDA agency or mission area depending on the
situation. However, the following
categories (also defined in this section) are generally applicable: Compromise
of Integrity, Denial of service, Misuse, Damage, and Intrusions.
Computer
Security Policy - Senior management's directives that create a computer security program,
establish its goals, and assign responsibilities. The term policy is also used to refer to the specific security
rules for particular systems. Policy
may also refer to entirely different matters, such as the specific managerial
decisions setting an organization's e-mail privacy policy or fax security
policy.
Computer
System – This term
applies to any equipment or
interconnected system or subsystems
of equipment that is
management, movement, control,
display, switching,
interchange, transmission or
reception of data or information.
This
includes computers, ancillary equipment, software, firmware, and similar
procedures, services, including support services and related resources as
defined by regulations issued by the Administrator for the General Services
Administration.
Confidentiality – A security requirement that private or
sensitive
Information not be disclosed to
unauthorized individuals.
Configuration Auditing/Verification - The Configuration Audit and
Verification process is used to verify a
product’s performance
requirements have been achieved by the
product/system design
and have been accurately documented.
Configuration Change Control - The configuration control process
manages the current configuration
baseline, which results from the
configuration identification process.
Configuration Control Authority - The project or system manager
decision-making authority that approves or
disapproves proposed
changes and exercises authority at the
project/system level, within
the scope of their charter, via a
Configuration Control Board (CCB).
Configuration Control Board (CCB)- A CCB is composed of
management, technical and user
representatives who recommend
approval or disapproval of proposed
changes to a CI and its
current approved configuration
documentation and manage
Configuration Item (CI) baselines.
Configuration Identification- The Configuration Identification
documents the products of system
engineering and the approved
configuration of the physical and
functional characteristics of the
system or product. In addition, Configuration Identification
provides
unique product and document identifiers
and establishes baselines
for Government/ contractor configuration
control.
Configuration Item (CI)- A CI is an aggregation of hardware
and/or
software that satisfied an end use
function and is designated by the
Government for separate configuration
management.
Configuration Management (CM)- CM is a process of reviewing
and controlling the components of an
Information Technology
System throughout its life to ensure that
they are well defined and
cannot be changed without proper
justification and full knowledge
of the consequences. CM ensures that the hardware, software,
communications services and documentation
for a system can be
accurately determined at any time.
Configuration Status Accounting - This process provides visibility into
status and configuration information
concerning the product,
system, and its documentation. CSA tracks configuration
documentation changes and documents the
configuration of
items.
These records include both current and historical information
to ensure trace ability from the initial
requirements.
Contingency Planning – Refers to the dynamic development
of
a coordinated recovery strategy for IT systems or application, operations, and
data after a disruption. The planning
process requires several steps: develop policy; conduct business impact
analysis (BIA); identify preventive controls; develop recovery strategies;
develop contingency plan; test and exercise the plan; train personnel; and
maintain the plan.
Contingency
Planning Coordinator – A
delegated individual who designates appropriate teams to implement the recovery
strategy. Each team should be trained and ready to deploy in the event of a
disruptive situation requiring plan activation.
Controlled Access Protection (C2) – C2 is a standard that is applied
to operating system software to provide a
required minimum level
of security. This standard is the highest government rating for
business computing products and requires
that the system have
discretionary resource protection and
auditing capability.
Cookie – a small piece of information that may be sent
to
a computer connected to the Internet to track a user’s Web browsing habits.
There are two types of cookies: a session cookie is a line of
text temporarily stored in a computer Random Access Memory that is never
written to a drive and is destroyed as soon as the browser is closed; a persistent
cookie is a more permanent line of text that gets saved by a browser to a
file on the hard drive that can be used to track a user’s browsing habits.
Copyright
- Copyright is the
ownership of an intellectual property within the limits prescribed by a
particular nation’s or international law.
In the United States, for example, the copyright law provides that the
owner of a property has the exclusive right to print, distribute, and copy the
work and permission must be obtained by anyone else to reuse the work in these
ways. The notion of freedom of
information and the ease of posting, copying and distributing messages on the
Internet may have created a false impression that text and graphic materials on
World Wide Web sites, posting in “usenet” news groups and messages distributed
through e-mail lists and other electronic channels are exempt from copyright
statues. In the United States,
copyright is a protection provided under title 17 of the U.S. Code, articulated
in the 1976 Copyright Act. Copyright of
a creative work extends 50 years beyond the lifespan of its author or
designer. Works afforded copyright
protection include literature, journalistic reports, musical compositions,
theatrical scripts, choreography, artistic matter, architectural designs,
motion pictures, computer software, multimedia digital creations, and audio and
video recordings. Copyright protection
encompasses Web page textual content, graphics, design elements, as well as
postings on discussion groups.
Countermeasures and Controls – Countermeasures and controls
refer to the procedures or techniques used
to prevent the
occurrence of a security incident, detect
when an incident is
occurring or has occurred, and provide the
capacity to respond to
or recover from a security incident. Basically, they are intended to
protect the assets and availability of an
IT system. (Synonymous
with safeguards)
Cross-certification - The process in which each CA signs
another's
certificate to signify trust. This is a peer-to-peer certification.
Cryptography - The science and practice that embodies
principles,
means and methods for the transformation
of information to hide its
content, prevent its undetected
modification, and prevent its
unauthorized use.
Customer
Information Control System (CICS) – A system that was
originally
developed to provide transaction processing for IBM. It
controls the
interaction between the application and users; CISC
also lets the
programmer develop screen displays
without detailed
knowledge of the
terminal being used.
Damage – Damage is the unauthorized deliberate
or accidental modification, destruction or removal of information or data from
a computer system.
Database Management System (DBMS) – A collection of programs
that enables the storage, modification and
extraction of
information from a database. There are many different types of
DBMS programs ranging from small systems
that run on personal
computers to huge systems that run on
mainframes.
Data Encryption Standard (DES) – A DES key consists of 64 binary
digits of which 567 are randomly generated
and used directly by
the
algorithm. (FIPS 46-3) A Data Encryption
Standard (DES) is a U.S. Government-approved, symmetric cipher, encryption
algorithm used by business and civilian government agencies. The Advanced
Encryption Standard (AES) is designed to replace DES. The original “single” DES
algorithm is no longer secure because it is now possible to try every possible
key with special purpose equipment or a high performance cluster. Triple DES
(see glossary entry below), however, is still considered to be secure.
Data Integrity - The state that exists when computerized
data or
information is the same as that in the
source documents or code
and has not been exposed to accidental or
malicious alteration or
destruction.
Data Key - A cryptographic key which is used to
transform data
(e.g., encrypt, decrypt, authenticate).
Decryption - The process of transforming encrypted
data into plain
or readable information.
Demilitarized Zone (DMZ) - A demilitarized zone serves as
connection points for computer systems
that need to be accessible
either externally or internally, but due
to the inherent risks associated
with public connectivity, should not be
placed on the internal
protected network. The DMZ sits between the public Internet and
the internal networks.
Denial
of Service – Denial of
service is an inability to utilize system resources due to unavailability; for
example, when an attacker has disabled a system, a network worm has saturated
network bandwidth, an IP address has been flooded with external messages or “a
system manager and all other users become locked out of a UNIX system, which
has been changed to single user mode.”
Designated
Accrediting Authority (DAA)
– From a security
perspective,
all USDA General Support Systems (GSS) and Software Applications are required
to undergo a security certification process and be accredited by a Designated
Accrediting Authority (DAA) prior to being placed in operation. This individual is the agency management
official who formally authorizes a system’s operation in writing and explicitly
accepts any risks associated with that system.
The implementation of a formal configuration management process is a
requirement for system accreditation.
Device – A piece of hardware that performs a specific
function
related to or included in an IT system, usually a General
Support
System, with a minimum of intervention. Examples include but are
not limited to: network switches, CSU/DSUs, printers and
routers.
Digital Certificate (Public Key) - An attachment to an electronic
message used for security purposes. A digital certificate is used
to
verify that a user sending a message, or
accessing a site on the
Internet, is who he or she claims to be.
Digital certificates are
obtained from a Certificate Authority
(CA). The CA issues an
encrypted digital certificate containing
the user’s Public Key and
other identifying information.
Digital Signature - The result of a transformation of a
message by
means of a cryptographic system using keys
such that a Relying
Party can determine: (1) whether the
transformation was created
using the private key that corresponds to
the public key in the
signer’s digital certificate; and (2)
whether the message has been
altered since the transformation was made.
Digital Subscriber Line (DSL) - DSL (Digital
Subscriber Line) is a
technology
for bringing high-bandwidth information to
homes
and small businesses over ordinary copper telephone
line. A DSL line can simultaneously carry both
data and voice
signals, and the data part of the line is continuously connected.
Discretionary Access Control (DAC) - DAC is an access policy in
which the system owner restricts access to
system objects such as
files, directories, devices, databases,
and programs, based on the
identity of the users and/or groups to
which they belong.
Disruption – An unplanned event that causes the
General
Support System or Application to be
inoperable for an unacceptable length of time (e.g., minor or extended power
outage, extended unavailable network, or equipment or facility damage or
destruction).
Education – IT security education focuses on
developing the ability
and vision to perform complex,
multi-disciplinary activities and the
skills needed to further the IT security
profession. Education activities
include research and development to keep
pace with changing
technologies and threats.
Electronic
Record - Any record that
is created, used, maintained,
transmitted,
and disposed of in electronic form. Such records may be stored in computer
memory (random access memory) or on flexible disks. Offices may or may not have
non-record paper copies of electronic records. Electronic records are also
referred to as machine-readable records because they require machine processing
for conversion to human-readable form. Examples of these types of records
include those on magnetic tapes, disks and drums, video files, optical disks, and floppy disks.
Employee Owned Equipment - Personal computing
equipment
owned and maintained by the employee, but used for official
USDA business under an approved telework arrangement.
Encryption – is the process of transforming readable
information into
cipher text, which cannot
be easily understood by
unauthorized people. Decryption is the process of converting
encrypted data back into its original form, so it
can be
understood.
The use of encryption/decryption is as old
as the art of communication. A cipher, often incorrectly called a
"code," can be employed to keep unauthorized parties from
obtaining the contents of transmissions. PKI encryption
uses two
separate but related keys, a Key Pair, in
a process known as
asymmetric encryption. One key, the Public Key, is used to encrypt
a message or Internet session. The
sender’s Private Key attaches a
separate digital signature to the
data. The second key, or Private
Key, is also used to decrypt a message or
session.
Evasive – A term used to classify material, which is characterized
as,
exhibiting evasion, intentionally vague,
or ambiguous.
Exposure -A measure of the potential risk to an IT
system from both
external and internal threats.
Extranet – An extranet is the extension of an
organization’s intranet out onto the Internet.
This is in contrast to, and usually in addition to, the organization’s
public web site that is accessible to everyone. The difference can be somewhat blurred but generally an extranet
implies real-time access through a firewall of some kind. Selected customers, suppliers and mobile
workers can access the company’s private data and application via the World
Wide Web.
Federal Bridge Certification Authority
(FBCA) - The Federal
Bridge
Certification Authority consists of a
collection of Public Key
Infrastructure components (Certificate
Authorities, Directories,
Certificate Policies and Certificate
Practice Statements) that are
used to provide peer-to-peer
interoperability among Agency
Principle Certification Authorities.
Federal Computer System – This terms applies to a computer
Federal
agency or other organization that processes information using a computer system
on behalf of the government to
accomplish a Federal function. This
includes automatic data processing equipment.
Federal
Operator – A Federal
operator is any person who operates a Web site located on the Internet or an
online service and who collects or maintains personal information from or about
the users of or visitors to such Web site or online service.
Firewall
- A firewall is a
security policy and technology that defines the services and accesses permitted
and the implementation of that policy in terms of a network configuration. The main purpose of a firewall is to
restrict access to or from a protected network. It implements a network access policy by forcing connections to
pass through the firewall, where they are examined and evaluated. A USDA firewall must use stateful inspection
technology that is aware of the content and state of connection. This technology, which denies all traffic
unless it is specifically allowed, employs rules targeted squarely at
implementing security decisions at all levels; effectively log activities;
filters throughout all levels of the protocol stack; tracks valid active
sessions, and processes/filters/tracks high level applications such as
electronic mail, file transfer and hyper-text transmission.
Functional
Requirement: an
expressed need for a system to exhibit
specific,
often quantified, behaviour as a result of its interaction with
its operational environment.
General
Support System (GSS) -
GSS is a collection of interconnected information resources or computing
environments under the same direct management control, which shares common
functionality. A general support system
normally includes hardware, software, information, data, applications,
communications , facilities, and people, and provides support for a variety of
users and common applications. A
general support system, for example, can be a local area network (LAN)
including smart terminals that support a branch office, a backbone network
(e.g., agency-wide), communications network, departmental processing center
including its operating system and utilities, tactical radio network, office
automation and electronic mail services, or share information processing
service organization. A general support
system can also host one or more major applications.
Government
Owned Equipment -
Personal computing equipment
owned and
maintained by the USDA, but used for official USDA
business
under an approved telework arrangement.
Grantee – One to whom a grant is made. In USDA, grant agreements are made with individuals, entities, and academic institutions to perform scientific research and other studies as authorized by law.
Guidance –Interim documents designed and issued to
control or govern security behavior.
Guidance provides policy and procedures to be used until a subject
specific directive is published.
Hackers/Crackers – The term “hacker” is used to describe
any individual who attempts to compromise the security of an IT system,
especially those whose intention is to cause disruption or obtain unauthorized
access to data. A “cracker” is any
individual who used advanced knowledge of networks or the Internet to
compromise network security.
Harm – Harm is to damage, injure or impair
Information Technology (IT) systems
using electronic methods.
Homepage – is the first page (i.e.,
the opening screen) of a Web
site.
Host- A computer that acts as a source of information
or signals.
The term can refer to almost any kind of computer, from a
centralized mainframe that is a host to its terminals, to a server
that
is host to its clients, to a desktop personal computer (PC)
that is host
to its peripherals.
In network architectures, a client station (user's
machine) is also considered a host because it is a source of
information to the network in contrast to a device such as a
router
or switch that directs traffic.
Hotfix- Microsoft’s term for a bug fix, which is
accomplished by
replacing one or more existing files in the operating system
or
application with revised versions.
IBM UNIX System Services – Unix System Services provide all of the
capabilities and flexibility of UNIX in
the z/OS/OS390 IBM operating
system.
Incident
Handling - This refers to the actions taken to
resolve the incident.
Incident
Oversight – This process
is the ongoing surveillance of the networks and systems to spot new
vulnerabilities and take corrective actions in advance of incidents.
Incident
Reporting - This involves formal acknowledgement
that a computer incident occurred.
Incident
Response – This process
is the analysis of how the incident happened and how to handle the situation so
that it does not reoccur.
Individual - means a citizen of the United States or
an alien lawfully
admitted for permanent residence.
Individual Accountability - requires individual users to be held
accountable for their actions after
being notified of the rules of
behavior in the use of the system
and the penalties associated with
the
violation of those rules.
Information – means any
communication or representation of
knowledge such as facts,
data or opinions in any medium or form,
including textual,
numerical, graphic, cartographic, narrative or
audiovisual forms.
Information Technology (IT) – IT refers to computing and/or
communications hardware and/or software
components and
related resources that can collect, store,
process, maintain, share,
transmit or dispose of data. IT components include computers and
associated peripheral devices, computer
operating systems,
utility/support software, and
communications hardware and
software.
IT
System: A collection of
computing and/or communications components and other resources that support one
or more functional objectives of an organization.